Bump undici, @cloudflare/vite-plugin and wrangler

[dependabot]

Bumps undici to 7.24.4 and updates ancestor dependencies undici, @cloudflare/vite-plugin and wrangler. These dependencies need to be updated together.

Updates undici from 7.18.2 to 7.24.4

Release notes

Sourced from undici's releases.

v7.24.4

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in nodejs/undici#4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in nodejs/undici#4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

• fix fetch path logic by @​KhafraDev in nodejs/undici#4890
• remove maxDecompressedMessageSize by @​KhafraDev in nodejs/undici#4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

What's Changed

• fix: proto pollution by @​rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)

... (truncated)

Commits

• 4991f3e Bumped v7.24.4
• ea3a06d fix(fetch): preserve path for credentialed URLs (#4892)
• 9b96516 Bumped v7.24.3
• 7926660 Ignore .githuman
• 9eaa5af fix(h2): TypeError: Cannot read properties of null (reading 'push') in Reques...
• a9bfe21 ignore .pi
• f2e155b Bumped v7.24.2
• 4d2d1af remove maxDecompressedMessageSize (#4891)
• 3a05a4f fix fetch path logic (#4890)
• 23e3cd3 Bumped v7.24.1
• Additional commits viewable in compare view

Updates @cloudflare/vite-plugin from 1.21.1 to 1.31.2

Release notes

Sourced from @​cloudflare/vite-plugin's releases.

@​cloudflare/vite-plugin@​1.31.2

Patch Changes

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8, 7ca6f6e]:
  • miniflare@4.20260409.0
  • wrangler@4.81.1

@​cloudflare/vite-plugin@​1.31.1

Patch Changes

• Updated dependencies [a3e3b57, 7d318e1, fa6d84f, 96ee5d4, 7d318e1, 7a60d4b, 78cbe37, 6fa5dfd]:
  • miniflare@4.20260405.0
  • wrangler@4.81.0

@​cloudflare/vite-plugin@​1.31.0

Minor Changes

• #13011 b9b7e9d Thanks @​ruifigueira! - Add experimental headful browser rendering support for local development

  Experimental: This feature may be removed or changed without notice.

  When developing locally with the Browser Rendering API, you can enable headful (visible) mode via the X_BROWSER_HEADFUL environment variable to see the browser while debugging:

  X_BROWSER_HEADFUL=true wrangler dev
  X_BROWSER_HEADFUL=true vite dev

  Note: when using @cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created by browser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.

• #13051 d5bffde Thanks @​dario-piotrowicz! - Update getLocalWorkerdCompatibilityDate to return today's date

  The re-exported getLocalWorkerdCompatibilityDate function from @cloudflare/vite-plugin previously resolved the workerd compatibility date by traversing the local miniflare installation, which was unreliable in some package manager setups. It now simply returns today's date. The function is also marked as deprecated — callers should just use today's date instead, for example like so: new Date().toISOString().slice(0, 10)

Patch Changes

• #13125 f76652c Thanks @​kayluhb! - Fix SyntaxError when SSR-transformed module ends with a single-line comment

  When module code ends with a // comment (e.g. //# sourceMappingURL=... preserved by vite-plus), the closing } of the async wrapper in runInlinedModule was absorbed into the comment, causing SyntaxError: Unexpected end of input. Adding a newline before the closing brace prevents this.

• #13188 110002c Thanks @​shulaoda! - Normalize the return value of getAssetsDirectory() with vite.normalizePath() to ensure assets.directory in the output wrangler.json always uses forward slashes

• Updated dependencies [9c4035b, 5d29055, fb67a18, d5bffde, ab44870, 48d83ca, b2f53ea, b9b7e9d, 14e72eb, 4dc94fd, b2f53ea, d5bffde, 48d83ca]:

  • wrangler@4.80.0
  • miniflare@4.20260401.0

@​cloudflare/vite-plugin@​1.30.3

Patch Changes

• #13111 f214760 Thanks @​dependabot! - Add missing connect key to WorkerEntrypoint and DurableObject key lists in the runner worker

... (truncated)

Changelog

Sourced from @​cloudflare/vite-plugin's changelog.

1.31.2

Patch Changes

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8, 7ca6f6e]:
  • miniflare@4.20260409.0
  • wrangler@4.81.1

1.31.1

Patch Changes

• Updated dependencies [a3e3b57, 7d318e1, fa6d84f, 96ee5d4, 7d318e1, 7a60d4b, 78cbe37, 6fa5dfd]:
  • miniflare@4.20260405.0
  • wrangler@4.81.0

1.31.0

Minor Changes

• #13011 b9b7e9d Thanks @​ruifigueira! - Add experimental headful browser rendering support for local development

  Experimental: This feature may be removed or changed without notice.

  When developing locally with the Browser Rendering API, you can enable headful (visible) mode via the X_BROWSER_HEADFUL environment variable to see the browser while debugging:

  X_BROWSER_HEADFUL=true wrangler dev
  X_BROWSER_HEADFUL=true vite dev

  Note: when using @cloudflare/playwright, two Chrome windows may appear — the initial blank page and the one created by browser.newPage(). This is expected behavior due to how Playwright handles browser contexts via CDP.

• #13051 d5bffde Thanks @​dario-piotrowicz! - Update getLocalWorkerdCompatibilityDate to return today's date

  The re-exported getLocalWorkerdCompatibilityDate function from @cloudflare/vite-plugin previously resolved the workerd compatibility date by traversing the local miniflare installation, which was unreliable in some package manager setups. It now simply returns today's date. The function is also marked as deprecated — callers should just use today's date instead, for example like so: new Date().toISOString().slice(0, 10)

Patch Changes

• #13125 f76652c Thanks @​kayluhb! - Fix SyntaxError when SSR-transformed module ends with a single-line comment

  When module code ends with a // comment (e.g. //# sourceMappingURL=... preserved by vite-plus), the closing } of the async wrapper in runInlinedModule was absorbed into the comment, causing SyntaxError: Unexpected end of input. Adding a newline before the closing brace prevents this.

• #13188 110002c Thanks @​shulaoda! - Normalize the return value of getAssetsDirectory() with vite.normalizePath() to ensure assets.directory in the output wrangler.json always uses forward slashes

• Updated dependencies [9c4035b, 5d29055, fb67a18, d5bffde, ab44870, 48d83ca, b2f53ea, b9b7e9d, 14e72eb, 4dc94fd, b2f53ea, d5bffde, 48d83ca]:

  • wrangler@4.80.0
  • miniflare@4.20260401.0

1.30.3

... (truncated)

Commits

• aad0341 Version Packages (#13355)
• 36c2c13 Version Packages (#13251)
• 0bbf104 Remove all eslint comment disabling no-restricted-imports from the vite-plugi...
• 0de6989 Version Packages (#13141)
• d5bffde Use today as the compat date instead of relying on the actual workerd compat ...
• 110002c fix(vite-plugin): normalize wrangler asset directory path separators for Wind...
• f76652c fix(vite-plugin): prevent SyntaxError when SSR module ends with // comment (#...
• b9b7e9d BRAPI-1010: Add experimental headful browser rendering support to wrangler / ...
• d927ee3 Version Packages (#13096)
• f214760 Bump the workerd-and-workers-types group with 2 updates (#13111)
• Additional commits viewable in compare view

Updates wrangler from 4.59.3 to 4.81.1

Release notes

Sourced from wrangler's releases.

wrangler@4.81.1

Patch Changes

• #13337 c510494 Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260405.1	1.20260408.1

• #13362 8b71eca Thanks @​dependabot! - Update dependencies of "miniflare", "wrangler"

  The following dependency versions have been updated:

  Dependency	From	To
  workerd	1.20260408.1	1.20260409.1

• #13329 7ca6f6e Thanks @​G4brym! - fix: Treat AI Search bindings as always-remote in local dev

  AI Search namespace (ai_search_namespaces) and instance (ai_search) bindings are always-remote (they have no local simulation), but pickRemoteBindings() did not include them in its always-remote type list. This caused the remote proxy session to exclude these bindings when remote: true was not explicitly set in the config, resulting in broken AI Search bindings during wrangler dev.

  Additionally, removeRemoteConfigFieldFromBindings() in the deploy config-diff logic was not stripping the remote field from AI Search bindings, which could cause false config diffs during deployment.

• Updated dependencies [42c7ef0, c510494, 8b71eca, a42e0e8]:

  • miniflare@4.20260409.0

wrangler@4.81.0

Minor Changes

• #12932 96ee5d4 Thanks @​thomasgauvin! - feat: add wrangler email routing and wrangler email sending commands

  Email Routing commands:

  • wrangler email routing list - list zones with email routing status
  • wrangler email routing settings <domain> - get email routing settings for a zone
  • wrangler email routing enable/disable <domain> - enable or disable email routing
  • wrangler email routing dns get/unlock <domain> - manage DNS records
  • wrangler email routing rules list/get/create/update/delete <domain> - manage routing rules (use catch-all as the rule ID for the catch-all rule)
  • wrangler email routing addresses list/get/create/delete - manage destination addresses

  Email Sending commands:

  • wrangler email sending list - list zones with email sending
  • wrangler email sending settings <domain> - get email sending settings for a zone
  • wrangler email sending enable <domain> - enable email sending for a zone or subdomain
  • wrangler email sending disable <domain> - disable email sending for a zone or subdomain
  • wrangler email sending dns get <domain> - get DNS records for a sending domain
  • wrangler email sending send - send an email using the builder API

... (truncated)

Commits

• aad0341 Version Packages (#13355)
• 8b71eca Bump the workerd-and-workers-types group with 2 updates (#13362)
• c510494 Bump the workerd-and-workers-types group with 2 updates (#13337)
• ad6faef Remove some more no-restricted-imports lint disabling comments from wrangle...
• 7ca6f6e [wrangler] Fix AI Search bindings not working in local dev without explicit r...
• 36c2c13 Version Packages (#13251)
• fa6d84f Bump the workerd-and-workers-types group with 2 updates (#13305)
• 6fa5dfd [wrangler] Use formatConfigSnippet for compatibility_date warning in dev (#13...
• 7d318e1 Bump the workerd-and-workers-types group across 1 directory with 2 updates (#...
• 8f0c544 Make argsIgnorePattern for no-unused-vars lint rule more strict (#13180)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	101week-contracts	aa0333d	Commit Preview URL Branch Preview URL	Apr 12 2026, 10:18 PM